Many of our clients with CCTV cameras receive requests from An Garda Siochaná, the PSNI or some other Statutory Authority (SAs as they are commonly referred to) for CCTV footage. The familiar problem here is the client is trapped between the rights of the individual(s) on the footage on one side and rights of the SA on the other. Being trapped between two angry parties is not pleasant and could be costly. Failure to get the balance right can result in legal action from the party whose rights were abused. This note explains the general principles an organisation has to follow to protect themselves. If you need specific legal advice please consult your legal advisers.
First it’s important to remember that when investigating crimes the SA is typically empowered by the Law Enforcement Directive not the GDPR. The Law Enforcement Directive (LED) covers the processing of personal data for the purpose of preventing, detecting, investigating or prosecuting criminal offences and for executing criminal penalties. The list of SA who can investigate and prosecute crimes depends on national law, but can include local authorities, revenue etc. Other processing by the SA of personal data for regular uses like HR records falls under the General Data Protection Regulation.
While the SA has these special powers, our clients, the CCTV controller, are still governed by the GDPR this exposes them to three specific threats.
One is if a person (data subjects) captured on CCTV asks “Who have you shared my data with?” the controller is obliged to inform them. Besides the possible embarrassment for controllers, if they don’t have a line in their Privacy Policy covering this type of data sharing, they can be exposed at this point.
The second major threat is meeting the “necessary and proportionate” test. The CCTV controller is expected to satisfy themselves that this is a valid request. The two elements are that the data is required for a criminal investigation and that it is a proportionate request.
To meet this test the CCTV controller should cover these two points:
• Confirm that an investigation into a “criminal offense” is under way
• Confirm that the data is required for the investigation
If the CCTV controller can’t satisfy themselves that this is the case, they don’t have grounds to hand over the requested footage.
The third major threat comes from record keeping. Underpinning the 6 principles of the GDPR is the concept of accountability. This puts an obligation on organisations to have processes in place and to record decisions. Exactly how this is done depends on the organisation but these three steps are common:
(a) Letter from Superintendent outlining what the criminal investigation is
(b) Review the footage
(c) Log who asked, why and what was handed over
The key is to have an approved process and written record of what happened. Failure to keep records is one of the easist to avoid yet most common breeches of data protection law.
If you have any questions about this this or any Data Protection query please get in touch.